This policy explains what personal data Ovolos ("we", "us") collects, why, and what rights you have. Ovolos is operated from Greece and this policy is written to meet the EU General Data Protection Regulation (GDPR). The data controller is Ovolos, reachable at [email protected].
1. Data we collect
- Account data — your name, email address, password (stored hashed), and settings such as display currency. If you sign in with Google, we receive your name, email, and avatar from Google.
- Financial data you provide — the accounts, balances, valuations, transactions, holdings, and asset details (for example a property address or a vehicle's make and model) that you enter into the Service. This is your data; you control it.
- Connected-account data — if you link an external provider (for example a bank-data aggregator), we receive the account metadata, balances, and transactions that provider exposes, read-only, and store them so your reports work. Connection credentials (tokens) are stored encrypted.
- Technical data — session cookies needed to keep you signed in, and standard server logs (IP address, browser, timestamps) kept for security and troubleshooting.
We do not collect advertising identifiers and we do not use tracking or analytics cookies.
2. How we use your data
- To operate the Service: storing your records, computing net worth, rendering reports (legal basis: performance of our contract with you).
- To run features you invoke — for example AI categorisation of transactions or an AI valuation of an asset (contract / your request).
- To secure the Service and prevent abuse (legitimate interest).
- To contact you about important Service changes (legitimate interest / legal obligation).
We do not sell your data, share it with advertisers, or use it to train AI models.
3. Processors we share data with
The Service relies on a small set of processors, each receiving only what its feature needs, only when you use that feature:
- Bank-data aggregators (e.g. Lunch Flow) — when you connect a bank, the connection is established with them and they return your account data, read-only.
- Anthropic (Claude) — when AI features run, relevant snippets (e.g. transaction descriptions to categorise, an asset's description to value or find a photo for) are sent to the Anthropic API. We do not permit training on this data.
- Market & reference data (e.g. EODHD for instrument prices, exchange-rate feeds) — receive only instrument symbols or currency codes, never your identity or balances.
- Blockchain explorers (e.g. GoldRush, Blockfrost, public nodes) — receive only the public wallet addresses you add.
- Maps & geocoding (Google Maps, MapTiler) — receive property addresses you enter, to plot them.
- Image search (Serper, Openverse, Wikimedia) — receive only a vehicle's make/model/year/colour as a search query when you ask for a photo.
- Email delivery and hosting infrastructure — process data as needed to run the Service.
Some processors are located outside the EEA (for example in the United States). Where that is the case, transfers rely on adequacy decisions or standard contractual clauses.
4. Retention and deletion
- Your data is kept for as long as your account exists — a wealth tracker's value is its history, so nothing is silently pruned.
- You can delete individual records, disconnect providers (which stops new data flowing), or delete your entire account at any time.
- Account deletion removes your personal and financial data from the live system without undue delay; residual copies in encrypted backups expire on the backup rotation schedule.
- Server logs are kept for a short, rolling window.
5. Security
- All traffic is encrypted in transit (TLS).
- Provider credentials and tokens are encrypted at rest; passwords are hashed, never stored.
- Every query in the application is scoped to your account — tenant isolation is enforced at the data layer.
6. Your rights
Under the GDPR you can, at any time:
- access the personal data we hold about you, and export your data;
- correct inaccurate data;
- have your data erased ("right to be forgotten");
- restrict or object to processing based on legitimate interest;
- lodge a complaint with a supervisory authority — in Greece, the Hellenic Data Protection Authority (dpa.gr), or the authority of your country of residence.
To exercise any of these rights, email [email protected]. We respond within the timelines the GDPR requires.
7. Children
The Service is not directed at, and may not be used by, anyone under 18.
8. Changes to this policy
We may update this policy as the Service evolves. Material changes will be announced in the Service or by email before they take effect; the "Last updated" date above always reflects the current version.
9. Contact
Privacy questions and requests: [email protected].